4
◾
Ethical Hacking and Penetration Testing Guide
Rules of Engagement
Every penetration test you do would comprise
of a rules of engagement, which basically defines
how a penetration test would be laid out, what methodology would be used, the start and end dates,
the milestones, the
goals of the penetration test, the liabilities
and responsibilities, etc. All of them
have to be mutually agreed upon by both the customer and the representative before the penetra-
tion test is started. Following are important requirements that are present in almost every ROE:
◾
A proper “permission to hack” and a “nondisclosure” agreement should be signed by both
the parties.
◾
The scope of the engagement and what part of the organization must be tested.
◾
The project duration including both the start and the end date.
◾
The methodology to be used for conducting a penetration test.
◾
The goals of a penetration test.
◾
The allowed and disallowed techniques, whether denial-of-service testing should be per-
formed or not.
◾
The liabilities and responsibilities, which are decided ahead of time. As a penetration tester
you might break into something that should not be accessible, causing a denial of service;
also, you might access sensitive information such as credit cards. Therefore, the liabilities
should be defined prior to the engagement.
If you need a more thorough documentation, refer to the “PTES Pre-engagement”
document
(http://www.pentest-standard.org/index.php/Pre-engagement)
How to scope
Metrics for time estimation
Questionaires
Scope creep
Scoping
Specify IP ranges and domains
Validate ranges
Cloud
services
ISP
Dealing with third parties
Define acceptable social
engineering pretexts
Web hosting
MSSPs
Countries
where servers are hosted
Estimating project as a whole
Additional support based on
hourly rate
Questions for business unit managers
Questions for systems administrators
Questions
for help desk
General employee questions
Specify start and end dates
Letter of Amendment (LOA)
Tie back to goals section
Milestones
Before starting a penetration test, it’s good practice to set up milestones
so that your project is
delivered as per the dates given in the rules of engagement.
Introduction to Hacking
◾
5
You can use either a GANTT chart or a website like Basecamp that helps you set up milestones
to keep track of your progress. The following is a chart that defines the milestones followed by the
date they should be accomplished.
Dostları ilə paylaş: